IdP group mapping
- Updated: 2024/11/04
IdP group mapping
When you integrate your Control Room with your Identity Provider (IdP), user accounts in your IdP are automatically provisioned in the Control Room.
Important: After you configure IdP group mapping in the
Control Room and enable the SAML automatic user account provisioning
option in the Control Room, users, roles, and licenses are managed only
via the IdP group mapping that is configured in the Control Room.
Therefore, ensure that you have at least one IdP group mapping that is assigned a role
in the Control Room that uses the Manage settings
and Manage roles permissions. Users who are responsible to manage
the Control Room IdP group mapping must be assigned to this role. If such
an IdP group mapping does not exist in the Control Room, there will be no
user who will be able to manage the Control Room IdP group mapping.
See Create IdP group mapping | Enable SAML automatic user account provisioning.
Note: This feature requires the Enterprise Platform
license. For information about supported version for this feature, see Enterprise Platform.
The Control Room administrator
performs the following tasks in the Control Room so that customer managed
IdP user accounts can be automatically provisioned:- Creates IdP group mapping in the Control Room.
- Assigns roles to the IdP group mapping in the Control Room.
- Assigns a license to the IdP group mapping in the Control Room.
Irrespective of whether your IdP has one of the following configurations, the IdP user
accounts are automatically provisioned in the Control Room based on the
IdP group mapping configured by the Control Room administrator:
- Your have existing IdP user groups.
- You have updated your existing IdP user groups.
- You have created new IdP user groups.
When an IdP user whose IdP user account is mapped to the IdP group mapping in the Control Room logs into to the Control Room, the Control Room validates the user information and manages the user information accordingly. Any change in the user information is automatically updated for the IdP user in the Control Room.
The following is the workflow for IdP group mapping:
- In the customer managed IdP, user groups are already managed logically.
- The Control Room administrator creates IdP group mapping and assigns roles and license. See Create IdP group mapping.
- The Control Room administrator enables automatic user account provisioning. See Enable SAML automatic user account provisioning.
- IdP user logs into the Control Room using single sign-on (SSO). An IdP SAML assertion that includes the user details is sent from the IdP to the Control Room.
- The Control Room validates the IdP SAML assertion with the IdP
group mapping configured in the Control Room and performs the
following actions:
- If the user does not exist in the Control Room, the user is created with the attributes included in the IdP SAML assertion and assigned the roles and license as configured in the IdP group mapping.
- If the user already exists in the Control Room and is active, the Control Room validates the IdP SAML assertion to identify any changes in the user information, roles, license, and updates the user information accordingly.
- If the user already exists in the Control Room and is inactive, the Control Room enables the user, validates the IdP SAML assertion to identify any changes in the user information, roles, license, and updates the user information accordingly.
When a user is part of multiple IdP user groups and the corresponding IdP group mappings
with different roles and licenses are created in the Control Room, the
following behaviors are seen:
- The user is assigned a combination of roles from the IdP group mappings.
- Only one license is allocated to the user based on the license allocation order preference. See Configure license order preference.
Note: The IdP administrators must ensure to map the Control Room attribute names to their IdP attribute names so that the
required information is included in the IdP SAML assertions that are sent from the IdP
to the Control Room during user authorization. See IdP group mapping examples.